[alsa-devel] [bug report] ALSA: usb: initial USB Audio Device Class 3.0 support

Fri Oct 12 15:48:23 CEST 2018

Hello Ruslan Bilovol,

The patch 9a2fe9b801f5: "ALSA: usb: initial USB Audio Device Class
3.0 support" from Mar 21, 2018, leads to the following static checker
warning:

	sound/usb/stream.c:971 snd_usb_get_audioformat_uac3()
	warn: potentially allocating too little.  7 vs 1

sound/usb/stream.c
   943          /*
   944           * Get number of channels and channel map through
   945           * High Capability Cluster Descriptor
   946           *
   947           * First step: get High Capability header and
   948           * read size of Cluster Descriptor
   949           */
   950          err = snd_usb_ctl_msg(chip->dev,
   951                          usb_rcvctrlpipe(chip->dev, 0),
   952                          UAC3_CS_REQ_HIGH_CAPABILITY_DESCRIPTOR,
   953                          USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
   954                          cluster_id,
   955                          snd_usb_ctrl_intf(chip),
   956                          &hc_header, sizeof(hc_header));
                                ^^^^^^^^^^
It looks like this comes from the USB (untrusted).

   957          if (err < 0)
   958                  return ERR_PTR(err);
   959          else if (err != sizeof(hc_header)) {
   960                  dev_err(&dev->dev,
   961                          "%u:%d : can't get High Capability descriptor\n",
   962                          iface_no, altno);
   963                  return ERR_PTR(-EIO);
   964          }
   965  
   966          /*
   967           * Second step: allocate needed amount of memory
   968           * and request Cluster Descriptor
   969           */
   970          wLength = le16_to_cpu(hc_header.wLength);
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
My private build of Smatch complains that all le16_to_cpu() data
probably comes from untrusted sources.

   971          cluster = kzalloc(wLength, GFP_KERNEL);
                ^^^^^^^
Maybe we're not allocating enough bytes for the cluster struct (8 bytes).

   972          if (!cluster)
   973                  return ERR_PTR(-ENOMEM);
   974          err = snd_usb_ctl_msg(chip->dev,
   975                          usb_rcvctrlpipe(chip->dev, 0),
   976                          UAC3_CS_REQ_HIGH_CAPABILITY_DESCRIPTOR,
   977                          USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
   978                          cluster_id,
   979                          snd_usb_ctrl_intf(chip),
   980                          cluster, wLength);
   981          if (err < 0) {
   982                  kfree(cluster);
   983                  return ERR_PTR(err);
   984          } else if (err != wLength) {
   985                  dev_err(&dev->dev,
   986                          "%u:%d : can't get Cluster Descriptor\n",
   987                          iface_no, altno);
   988                  kfree(cluster);
   989                  return ERR_PTR(-EIO);
   990          }
   991  
   992          num_channels = cluster->bNrChannels;
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   993          chmap = convert_chmap_v3(cluster);
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This code assumes that cluster is large enough without checking.

   994          kfree(cluster);
   995  

regards,
dan carpenter